Jim Penny <[EMAIL PROTECTED]> wrote: [...] > I needed a generalization of this scheme (and so ended up writing my own > User Folder). > > We manufacture parts which are controlled by second parties, but bought > primarily by third parties. I will call these parties Manufacturer, > Brand Owners, and Contractors. > > I now have two kinds of administrators, and two kinds of users. There > are unrestricted administrators and users. Since this really is > enforced only at the user folder level (normal zope machinery is used > elsewhere), a quick description is that an unrestricted administrator > may create, modify or destroy any user or Brand Owner Name, and may > associate any list of Brand owner names with any user. Any unrestricted > user has a flag designating him as such and it is expected that > application code check the flag and permit access to the contents held > for Brand Owners. > > Restricted Administrators may create new users, modify users, or delete > (some) users. However, any user they create may have only a subset of > their brand owner name list (and their normal zope permissions). > They may remove any of their brand names from a user that has one or > more of the brand names under their control. They may delete users that > have brand names only under their control. They may also create other > administrators, subject to the subset restictions. > > Restricted Users have a brand list associated with them. Application > logic can use this brand list to filter content. > > The restricted administrator is a big deal to us. If this takes off, we > will not be able to properly control the set of Restricted Users (at > Brand Owners and Contractors). Failure to do so could lead to legal > exposure, so by creating Restricted Administrators who are Brand Owners, > the contrl (and thus most of the legal exposure) can be shifted back to > the Brand Owner.
This screams of ACLs for user management... I'm having the need too, in the context of CMF. I ended up writing an additional service (portal_directory) that has a complex set of ACLs to mediate access to the user folder. Some code will be released soon. Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 10 http://nuxeo.com mailto:[EMAIL PROTECTED] _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )